Details of the procedures and process for sharing patient information have been set out in a memorandum of understanding between the Home Office, the Department of Health and NHS Digital, published for the first time this week.

Although the MoU – which details the rules on patient information exchange between NHS Digital and the Home Office – came into effect on 1 January this year, government authorities have been able to request information from the NHS for law enforcement activities for some years.

The latest figures from NHS Digital show that the Home Office made 8,127 requests for information in 2016 up to November – the last date for which records are available.

Of these, 5,854 were approved and traced, with a further 1,583 requests approved but where NHS Digital was unable to trace the information.

This compares with 339 requests from the police during this time – of which 73 were approved and traced – and 2,703 requests from the National Crime Agency – of which 574 were approved and traced.

Related content

According to the MoU, the Home Office can request non-clinical information – such as last known address, date of birth and date of NHS registration – from NHS Digital in relation to immigration offences, such as escaping detention or exceeding a time limit to stay in the UK.

The document say that, because this information is “administrative in nature” it “falls at the less intrusive end of the privacy spectrum” and that the nature of immigration offences mean “there is a low probability of mistaken identity”.

The Home Office can only request information if it fulfils certain criteria, including that it has used “all usual sources of internal information” to establish contact with the person and that the disclosure of such information is “a matter of public interest”.

However, the document states that because of the non-clinical nature of the records requested, “the public interest threshold is lower”, especially “where there are concerns regarding the safety or welfare of an individual, such as a vulnerable child or adult”.

It argues that there is a public interest in disclosing data on offenders under the Immigration Act, emphasising the importance of “effective immigration controls” for the UK – for instance by allowing the removal of “those who might pose a danger to the public”.

The document also says that immigration offenders “harm the economic wellbeing of the country” and that it is in the public interest that “limited UK resources and public services (including the NHS, jobs, schools, housing) are protected from unnecessary financial and resource pressures”.

The document making clear that NHS Digital can refuse a request from the Home Office “without limitation…if it is not satisfied that the request is in the public interest”, but less than 120 of the 8,127 requests in 2016 were rejected by NHS Digital.

Data retention

The memorandum adds that all information must be sent to the Home Office under secure NHS mail and that all transfers of information, in both directions, must be done under the data protection principles in the Data Protection Act.

In addition, all information exchanged in these circumstances “will not be kept longer than is necessary for the purpose set out in this MoU”, and that once it is no longer relevant it must be destroyed securely.

NHS Digital is required to respond to a tracing request from the Home Office within 20 working days, but the Home Office can also request a shorter time frame if there are “exceptional circumstances”, which the memorandum said includes concern over the wellbeing of children.

The memorandum defines the Department of Health’s role as one of oversight – for data flow, accountability arrangements and updating ministers where necessary – and of brokering solutions in the event of issues between NHS Digital and the Home Office.

Shadow home secretary Diane Abbott described the use of patient data for immigration enforcement as “unacceptable”, arguing that it could deter people from seeking medical care and that “it should stop now”.